malwarewikiaorg-20200223-history
CIH
The CIH virus, also known as Chernobyl, was first discovered in 1998 June in Taiwan. According to the Taipei authorities, Chen Ing-hau wrote the CIH virus. The name of the virus derived from his initials. It did most of its damage within a few months of ExploreZip and Melissa's appearance. Contrary to the popular belief, the payload trigger date had nothing to do with the Chernobyl nuclear disaster. Behavior When a CIH-infected file is executed on a system, the virus becomes resident, it infects every executable file accessed. The files infected by CIH may have the same size as the original files, due to the unique infection mode of CIH. The virus searches for empty, unused spaces in the file. Next, it breaks itself up into smaller pieces and inserts its code into these unused spaces. CIH has two payloads which activate on April 26. The first payload overwrites the hard drive with random data, starting at sector 0, using an infinite loop until the system crashes. This makes it impossible to boot from the hard drive. It may be impossible to recover some of the data on the disk. The second payload tries to cause permanent damage to the computer. This payload attacks the Flash BIOS and tries to corrupt the data stored there. As a result, nothing may be displayed when the user starts the computer. The virus can only spread on Windows 95, 98 and ME systems. Effects In Korea, it was estimated that as many as one million computers were affected, resulting in more than $250 million in damages. Computers at Boston College were infected and some were destroyed, many losing their information just before their final exams. 200 computers in Singapore and 100 in Hong Kong were infected with the virus, along with many others around the world. Ten major companies in India were also affected by the virus. The virus first spread through pirated software in the summer of 1998. At least four pirate groups were infected during that summer. There were also unconfirmed reports that the virus appeared in a "PWA-cracked copy" of Windows 98. From summer of 1998 to spring of 1999 , several companies unintentionally released infected software. Origin systems released a download related to its "Wing Commander" game which was infected. Three gaming magazines from Europe shipped CDs infected with the CIH and one even reportedly included a note informing users about the virus and suggesting they disinfect their computers after using the CD. Yamaha shipped an infected firmware upgrade for their CD-R400 drives. IBM Aptiva computers came with the virus pre-installed in 1999 March. Name CIH takes its name from the initials of Chen Ing-Hau, its creator. Its other popular name, Chernobyl comes largely from its payload trigger date, April 26, the same date as the Chernobyl nuclear disaster. It may have been used frequently by the press, as a reference to an infamous disaster would probably have greater dramatic effect in a news report than three initials. Antivirus Aliases * Virus Encyclopedia full name: * Avast!: Win95:CIH * Avira: W95/CIH.A * ClamAV: CIH.2 * Doctor Web: Win95.CIH.1003 * Eset: Win95/CIH * F-Prot: W32/CIH.1019.A * Grisoft: Win32/CIH * Kaspersky Lab: Virus.Win9x.CIH also known as: Win95.CIH * McAfee: W95/CIH.1019a * Panda: W95/CIH * RAV: Win95/CIH.1003 * Bitdefender: Win95.CIH.Gen * Sophos: W95/CIH-10xx * Symantec: W95.CIH * Trend Micro: PE_CIH.1003 * Vexira: Win95.CIH Other Facts Some have expressed skepticism over the virus's ability to destroy a computer's BIOS. There were no confirmed cases of a BIOS being destroyed as a result of CIH. One virus expert even speculated that the reports of BIOS corruption or destruction was a ploy to get people to discard perfectly good computers in order for them to be resold by black market dealers. He also speculated that many alleged victims of the virus, all too eager to get rid of old computers, blamed the virus for minor problems and told the management that they needed new equipment. The reported costs of damage may have actually been in new computers and software rather than repairs and lost work/time. The Payload Trigger, 1999 April 26, was thought to commemorate the Chernobyl disaster. It actually coincides with Chen's Birthday. Variants of this virus have come out as late as 2002. One variant released in 2001 was attached with a VBS script that used social engineering in the form of promising a picture of Jennifer Lopez to encourage the user to open it. Sources MSNBC. ZDnet, CIH Virus Finds New Victims. 1999.04.26 Motoaki Yamamura. Symantec.com W95.CIH Greg Sandoval, CNet. ZDNet, Virus Dresses up as Naked Jennifer Lopez. 2001.06.01 Thor Olavsrud. InternetNews, Promises of Jennifer Lopez Nude Deliver Destructive Virus 2001.06.01 Rob Rosenberger. Vmyths.com, 'The mother of all viruses,' part 2. 1998.08.15 -.-, Another urban legend in the making. 1999.04.29 F-Secure Antivirus, CIH Category:Virus Category:File virus Category:Hundred million dollar damage Category:Malicious Category:MSWindows Category:MSWindows virus Category:Assembly Category:Viruses